Cybersecurity, 2019

Stay Ahead of the Stress: How to Prepare for Your 2019 IT Security Audit

25 Feb 2019 | Robby Stevens



An IT audit is an incredibly powerful component to keeping yours and your members’ information safe and sound every year. The purpose of that audit is to help ensure the effectiveness of your security program – and, although it may breed stress and anxiety in the workplace from time to time, it’s a very important process everyone must go through.


You may be telling yourself, Yes, I get it. My organization’s data IT audit serves a good purpose, but more often than not, it’s burdensome and distracts me from far more pressing work.

We totally get it. Cybersecurity is in the spotlight right now, and the pressure to stay compliant with new laws and practices can cause momentum-stopping disruptions to business. To add to this stress, these mandatory regulations that govern IT security at credit unions are complex and intimidating; and small mistakes carry huge penalties (especially after the passing of GDPR last year).


Preparing for an IT Security Audit Doesn’t Have to Be Stressful

Wow! We know that was a lot of negatives, but there is good news! Since CUNA announced their partnership with our friends and business partner, Quantivate, in October of last year, preparing for your annual IT audit may end up being far more manageable in 2019. As CUNA’s new provider of an innovative technology platform that’s designed to integrate compliance solutions for credit unions, nearly every credit union in the U.S. has the ability to transform the way they approach compliance in 2019.


Ok great – I have this awesome piece of technology, but what practical steps can I take supplementally to alleviate the headache of preparing for my credit union’s annual IT security audit?


Luckily, there are loads of things you can do to ease the coming of audit season––and we’ve condensed them down here for you in four easy steps:

1. Identify Security Control Requirements

Security controls work like countermeasures to avoid and mitigate the risk you face. These controls are based on several methodologies, including FFIEC, FDIC, OCC, NCUA, and a bevy of others. Although you can receive relatively standardized information from the FFIEC’s Cybersecurity Awareness Tool (CAT), your auditor may require additional security controls derived from any of these methodologies.

Understanding exactly what controls you need satisfied for your audit is as essential to maintaining compliance as a compass is for a sailor. Building yourself an effective roadmap will not only give you a goal to attain, but will also begin to alleviate some of the pressure and headache of your upcoming audit.


Check out our free IT Compliance Framework guide to help you identify the most common security control requirements for your organization.

2. Track Your Control Progress

Once you’ve mapped out your security control requirements, you can now begin to implement and gauge the effectiveness of these controls. Keep adequate records of when these new controls are put in place and which requirements are being satisfied through your hard work. Tracking your progress shows your compliance officer exactly what you’re doing to uphold your organization’s ongoing dedication to keeping information safe.


Tracking your control progress serves two primary functions: one, it keeps your compliance team aware of how you’re building your security program and provides direction and next steps for how to move forward; two, it keeps both the executives and board of directors in the loop when you have the ability to generate real-time reports. Keeping the folks at “The Table” happy and informed sheds immediate stress and probably adds years to your life (we’re still waiting on scientists to get back to us on that last claim).


At Rivial, we know that tracking control progress is an essential part of reducing the hassle of an IT security audit, so we decided to design a software that does this all for you. We call it Managed Compliance.


With our one-of-a-kind tool, your organization obtains amplified visibility through our online dashboard into where exactly your organization falls along the scope of compliance. Even better, you can effortlessly generate compliance reports for executives, auditors, and team members with only the click of a button.

3. Collect Evidence Throughout the Year

One of the most laborious and frustrating portions of preparing for your examiners comes when collecting evidence of your controls. We often see audit teams spending weeks before their examination working on little else than this. The whole process is arduous at best and it is usually the last thing any IT manager wants to spend time on with so many other tasks and projects on their plate.

To stay ahead of the stress of your upcoming audit, we highly encourage you to spread this workload out throughout the year.

Again, Rivial would love to take care of some of the heavy lifting here. With Managed Compliance, we’ve constructed built-in automations that remind your team to stay current on evidence collections. The sweetest part of this treat comes in our intuitive method of organizing this evidence; simply fill in the required fields, and everything you need is stored in a central repository that can be quickly and efficiently accessed by you at any time.

Take A Load Off of Your Shoulders

If you’d like to hear more about Managed Compliance, or our whole suite of Virtual CISO services, we’d love to organize a quick discovery call with you.